Add alternate scan root

Add the option to scan sub-folders inside a repository.
feat/SP-3754_alternate-scan-root

Author: eeisegn

.gitignore

@@ -101,3 +101,6 @@ __tests__/runner/*
 .idea
 .vscode
 *.code-workspace
+
+# Ignore tmp
+tmp/

CHANGELOG.md

@@ -5,6 +5,14 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.4.0] - 2025-12-09
+### Added
+- Added basic subfolder scanning
+- Added input scanPath to specify a folder to scan
+- Added [MONOREPO_SETUP.md](MONOREPO_SETUP.md) to guide workflow setup for individual folder scanning
+### Changed
+- Upgraded scanoss-py version to v1.41.0
+
 ## [1.3.1] - 2025-10-21
 ### Added
 - Added results conversion to spdxlite and csv
@@ -158,3 +166,4 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 [1.2.5]: https://github.com/scanoss/gha-code-scan/compare/v1.2.4...v1.2.5
 [1.3.0]: https://github.com/scanoss/gha-code-scan/compare/v1.2.5...v1.3.0
 [1.3.1]: https://github.com/scanoss/gha-code-scan/compare/v1.3.0...v1.3.1
+[1.4.0]: https://github.com/scanoss/gha-code-scan/compare/v1.3.1...v1.4.0

MONOREPO_SETUP.md

@@ -0,0 +1,125 @@
+# SCANOSS GitHub Actions Code Scan: Monorepo Setup Guide
+
+## Introduction
+
+This guide explains how to configure SCANOSS code scanning for monorepos where you want to scan specific subdirectories independently.
+
+## Overview
+
+Instead of scanning the entire repository on every change, you can create separate workflows that:
+- Trigger only when specific paths are modified
+- Scan only the relevant subdirectory
+- Run independently with their own results
+
+## Architecture
+
+The setup uses a **reusable workflow** pattern:
+1. **Base workflow** (`scanoss.yml`) - The reusable workflow that performs the actual scanning
+2. **Trigger workflows** (e.g., `scanoss-component1.yml`, `scanoss-component2.yml`) - Individual workflows that call the base workflow with specific parameters
+
+## Setup Instructions
+
+### Step 1: Modify Your Existing scanoss.yml
+
+Add these sections to make it reusable:
+
+  ```yaml
+  on:
+    workflow_call:
+      inputs:
+        FILTERED_PATH:
+          description: 'Directory to scan'
+          required: true
+          type: string
+      secrets:
+        SC_API_KEY:
+          required: false
+        DT_API_KEY:
+          required: false
+```
+
+  Then update the scanPath parameter to use the input:
+
+```yaml
+        - name: Run SCANOSS Code Scan
+          uses: scanoss/code-scan-action@v1.4.0
+          with:
+            scanPath: ${{ inputs.FILTERED_PATH }}
+            # ... other parameters
+```
+
+### Step 2: Create Trigger Workflows
+
+Create separate workflow files for each component:
+
+`.github/workflows/scanoss-component1.yml`:
+```yaml
+name: SCANOSS - Component1
+
+on:
+  push:
+    paths:
+      - 'component1/**'                            <-- 
+  
+  # OR
+
+  pull_request:
+    paths:
+      - 'component1/**'                            <--
+
+jobs:
+  call-scanoss-workflow:
+    uses: ./.github/workflows/scanoss.yml  # Exact path to scanoss.yml inside your repo
+    with:
+      FILTERED_PATH: 'component1'                   <-- Remove /** and add here
+    secrets: inherit
+```
+
+`.github/workflows/scanoss-component2.yml`:
+```yaml
+name: SCANOSS - Component2
+
+on:
+  push:
+    paths:
+      - 'component2/**'                            <--
+
+  # OR
+
+  pull_request:
+    paths:
+      - 'component2/**'                            <--
+
+jobs:
+  call-scanoss-workflow:
+    uses: ./.github/workflows/scanoss.yml  # Exact path to scanoss.yml inside your repo
+    with:
+      FILTERED_PATH: 'component2'                   <-- Remove /** and add here
+    secrets: inherit
+```
+
+## Example Structure
+
+my-monorepo/
+├── .github/workflows/
+│   ├── scanoss.yml              # Reusable workflow
+│   ├── scanoss-component1.yml   # Triggers on component1/**
+│   ├── scanoss-component2.yml   # Triggers on component2/**
+│   └── scanoss-common.yml       # Triggers on common/**
+├── component1/
+├── component2/
+└── common/
+
+## Key Points
+
+- Path filters: Only trigger workflows when specific directories change
+- secrets: inherit: Required to pass repository secrets to the reusable workflow
+- Local workflow reference: for example ./.github/workflows/scanoss.yml (no branch name)
+- Secrets are optional: SC_API_KEY and DT_API_KEY (dt required if Dependency Track is enabled)
+
+## Benefits
+
+- Faster CI/CD - only scan affected components
+- Clearer results - each component has its own scan
+- Parallel execution - multiple components scan simultaneously
+- Reduced noise - PRs only show results for changed components

README.md

@@ -103,12 +103,13 @@ For example workflow runs, check out our
 | licenses.copyleft.include  | List of Copyleft licenses to append to the default list. Provide licenses as a comma-separated list.                                                     | Optional     | -                                    |
 | licenses.copyleft.exclude  | List of Copyleft licenses to remove from default list. Provide licenses as a comma-separated list.                                                       | Optional     | -                                    |
 | licenses.copyleft.explicit | Explicit list of Copyleft licenses to consider. Provide licenses as a comma-separated list.                                                              | Optional     | -                                    |
-| runtimeContainer           | Runtime URL                                                                                                                                              | Optional     | `ghcr.io/scanoss/scanoss-py:v1.37.1` |
+| runtimeContainer           | Runtime URL                                                                                                                                              | Optional     | `ghcr.io/scanoss/scanoss-py:v1.41.0` |
 | skipSnippets               | Skip the generation of snippets. (scanFiles option must be enabled)                                                                                      | Optional     | `false`                              |
 | scanFiles                  | Enable or disable file and snippet scanning                                                                                                              | Optional     | `true`                               |
 | scanossSettings            | Settings file to use for scanning. See the SCANOSS settings [documentation](https://scanoss.readthedocs.io/projects/scanoss-py/en/latest/#settings-file) | Optional     | `true`                               |
 | settingsFilepath           | Filepath of the SCANOSS settings to be used for scanning                                                                                                 | Optional     | `scanoss.json`                       |
 | scanMode                   | Choose between delta scan and full scan                                                                                                                  | Optional     | `full`                               |
+| scanPath                   | Relative path within the repository to scan (e.g., `src` or `packages/api`)                                                                              | Optional     | `.`                                  |
 | debug                      | Enable debugging                                                                                                                                         | Optional     | `false`                              |
 | deptrack.upload            | Enable automatic upload of scan results to Dependency Track                                                                                              | Optional     | `false`                              |
 | deptrack.url               | URL of the Dependency Track instance. Required when Dependency Track is enabled                                                                          | Required*    | -                                    |